I am hoping someone can tell me if I am trying something that can't be done. What I would like to be able to do is setup a Linux file server that Windows users can use, including the use of ACLs. AFIK this should not be a problem. The way I would like to go about doing this is what may be a problem. I would like to be able to add a user to the Directory Server (Fedora) and only via interaction with the Directory Server enable the user to access the Linux file server via Samba. The Samba server would simply be a file server, not a PDC. Everything I have found thus far seems to require that I manually create a Unix account for each user, and then add the Unix user to Samba and LDAP. Is the way I want to do this not possible, or am I simply reading the wrong docs/being a foolish noobie? I should also note that I am not tied to Fedora Directory Server if OpenLDAP can do this but Fedora can't. If anyone can confirm that I can/can not do what I want I would greatly appreciate it. Thanks, -Mont
On Tue, 2005-11-15 at 12:23 -0800, Mont Rothstein wrote:> I am hoping someone can tell me if I am trying something that can't be done. > > What I would like to be able to do is setup a Linux file server that Windows > users can use, including the use of ACLs. AFIK this should not be a problem. > > The way I would like to go about doing this is what may be a problem. > > I would like to be able to add a user to the Directory Server (Fedora) and > only via interaction with the Directory Server enable the user to access the > Linux file server via Samba. The Samba server would simply be a file server, > not a PDC. Everything I have found thus far seems to require that I manually > create a Unix account for each user, and then add the Unix user to Samba and > LDAP. > > Is the way I want to do this not possible, or am I simply reading the wrong > docs/being a foolish noobie? > > I should also note that I am not tied to Fedora Directory Server if OpenLDAP > can do this but Fedora can't. > > If anyone can confirm that I can/can not do what I want I would greatly > appreciate it.---- You make it really difficult to answer this because your questions focus only on the Posix side and what we are dealing with is Windows authentication and access to resources and obviously we need to account for Windows expectations for the Windows client to have a usable experience. LDAP can be a bunch of different things because it is a piece of putty to be shaped however you choose - the various implementations may or may not be limiting factors. Samba's expectations is that it ties a Windows authentication (generally a password hash and SID) to a Posix Account (a shell valid or not and a home directory) and the combination is used to evaluate access to resources. The beauty of open source is that the tools are there for you to modify as you see fit but you must always keep in mind that it's easier to swim in the direction of the tides. If your question is Fedora Directory Server or openldap, I simply can't answer that because I only have used openldap - perhaps some others can. I can tell you that for the most part, data can be migrated between the two (possibly with some editing but knowledge of perl/sed etc. can make that a much easier task) and that the knowledge of one ldap server will certainly leverage against learning the other. The only way for you to actually answer your question is to jump in because your question is a bit too general on all things windows and all things ldap to give you a specific answer. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Mont Rothstein wrote:> I am hoping someone can tell me if I am trying something that can't be done.Well, if I understood you corretly I'll say yes ;) Don't make it harder than it is, there are only three parties involved 1) Windows (the client) 2) Samba ("app server") 3) LDAP (authentication backend) Windows never talks directly to LDAP (at least not in this scenario), it always contacts samba, PDC or not. So the windows box asks samba "hey, I want to write to your disk..." and samba, being a sensitive piece of software insists: "Wait a minute, tell me who you are and prove this somehow, then I'll ask my backend if it knows you and if your proof holds true,...". The stupid windows client, not knowing that he speaks to the glory UNIX world sends its usual credentials, a string like MYWORSTATION\joe and a "secret" hash. Now samba looks for a UNIX user joe via the normal system calls used on unix and in its configured backend for the hash and all the other pieces needed in the windows world and not present on a normal unix system account. Samba absolutely DOES NOT CARE where the unix NAMES (+uid,gid) come from. They need to be known to the system where samba is installed, period. Fortunately, linux/unix has quite a few sources where names may come from. This is abstracted through the NSS interface and implemented by shared libraries whose names happen to be libnss_<servicename>.so. If you have a line like: passwd: files ldap in your /etc/nsswitch.conf, the system will ask libnss_files.so and libnss_ldap.so for the names and numbers commonly known as "accounts". In your case, you want to enable/disable/setup users in LDAP only. All you have to do is: 1. Instruct your system to fetch unix NAMES from ldap (nss_ldap). 2. Instruct samba to fetch the windows bits from ldap (passdb backend). couldn't stress this point of common misconception less, sorry. Paul